Story image

Chinese websites targeted in drive-by download attack that drops DDoS bot

27 Feb 18

Chinese websites have recently been targeted by a drive-by download campaign that dropped a Distributed Denial of Service (DDoS) bot by the name of Avzhan, a malware that has been around since 2010.

The most recent attacks were spotted by Malwarebytes Labs researchers, who say that the bizarre patterns of this particular drive-by download were not advanced, but they did demonstrate the use of several different exploits to distribute malware.

“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” Malwarebytes researcher Jérôme Segura explains.

The researchers spotted the campaign after analysing compromised sites that loaded external content through iframes and scripts.

Some of those sites hosted cryptomining malware, however some redirects lead to a server that hosts several exploits.

Those exploits include three that target vulnerabilities in ActiveX, Flash Player and Internet Explorer.

The ActiveX vulnerability (CVE-2008-2551) is an old vulnerability that affects the C6 Messenger ActiveX control. The malware creator used old malware code and changed the download URL to point to their own malware.

The Flash vulnerability (CVE-2015-5119) is also an older vulnerability that affects all versions of flash up to version 18.0.0.194. Malwarebytes researchers say this code was taken from a proof-of-concept and in this instance, causes instability in the browser which may cause it to crash.

The Internet Explorer vulnerability (CVE-2016-0189), also known as ‘God Mode’, was ‘commented out’, researchers explain.

All vulnerabilities were exploited to drop the Avzhan DDoS bot, which registers itself as a Windows Service.

Although researchers didn’t catch the bot in the act of conducting DDoS attacks, its capability is clearly evident in the code.

The malware has been lurking for several years but researchers say it is anything but sophisticated. It has not really changed – instead only modifications were made to hide the malware better and to add further configuration.

“Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same,” Segura says.

“Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.”

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).